Charles is spot on - multiple users on a single desktop - each Windows
user is mapped to one user profile - if you don't force logging out of
Windows somehow, then it's the same as someone just leaving their
windows box running unlocked with a 5250 session open - security
breakdown - using SSO can't solve this human engineering issue.

A similar issue is, if a person needs to be an admin sometimes and a
regular user otherwise - those would need multiple windows logins - each
mapped to a different user profile - in the simplest scenario. There are
some additional EIM config things that might help here - haven't studied
that far yet.

I suppose, theoretically, that you COULD map many-one or one-many or
many-many in EIM - again, I've not tried much of that. I know that in
our app I could handle multiple mappings to our app users, maybe
displaying the choices. But this still depends on a single windows
domain user having been authenticated, not several.

The KISS principle applies strongly here.

HTH
Vern

On 4/3/2012 7:57 AM, Charles Wilt wrote:

You need to be clear about what you what to know about...

In a SSO w/EIM environment, the participating user profiles on the i
are configured with PASSWORD(*NONE)

So QPWDLVL doesn't really matter.

As far as multiple users using a 5250 session from a single
desktop...not going to work...
You'd either need to leave those users out of SSO or force them to
sign out of windows and back in under the next users AD credentials.

Can anyone elaborate on how they might have moved forward with such a
project, also, how did you handle the AD side of things with those
credentials and then having them match on the "I" side of things. Were you
forced to change your QPWDLVL at all, was/is there a way around only 10
characaters for the as400 profile, was this an issue. How were you able to
get around mutliple users using a computer for 5250 access once the AD
credentials were verified granting access to the desktop.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

This mailing list archive is Copyright 1997-2019 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact
[javascript protected email address].